As malicious software or “malware” becomes more common, new techniques are being developed by antivirus service providers to combat the threat. Current techniques involve using signature-based detection, heuristic-based detection and file emulation. Signature-based detection uses a pattern of virus signatures to compare to existing files on a computer; the pattern of virus signatures is based upon previously obtained samples of viruses and requires frequent updates of the pattern. A virus signature is only obtained after a malware sample is obtained, analyzed and the signature created. Accordingly, a virus pattern may not be up to date and may not include signatures of the latest malware circulating.
Heuristic-based detection techniques (also called behavior-based detection) do not necessarily require a virus pattern to detect malware, but instead base detection of malware upon activities of the malware, its behavior, and other indications that a certain type of malware is operating within a computer. In other words, certain “rules of thumb” (or heuristics) are associated with a certain type of malware and are used to detect that type of malware. Heuristic-based detection requires that the antivirus software have installed a heuristic or behavior monitor.
File emulation is a type of heuristic approach to detection of malware that requires obtaining a copy of the suspected malware program and executing it within a safe environment and monitoring the actions that it performs. This approach requires identifying the suspected malware beforehand and having available a safe, virtual environment in which to test the suspected malware. A type of malware known as a rootkit is especially troublesome and is designed to gain administrator-level control over a computer without the user's knowledge. A rootkit can change how the operating system functions and can also disable antivirus software; detecting a rootkit usually requires installation of a special anti-rootkit module of the antivirus software.
Some sophisticated malware is even able to thwart installation of antivirus software upon a computer, thus preventing the antivirus software from detecting the malware. Such malware may block the installation of the antivirus software, may stop the antivirus software from operating or may render the antivirus software somewhat ineffective. In order to detect such sophisticated malware, an antivirus service provider may use a pre-scan software module to perform a quick scan before the antivirus software is installed and a full-blown scan occurs. A pre-scan currently operates by scanning a computer's hard disk, memory and registry using a signature-based virus pattern file. This pre-scan can be effective because its pattern may detect malware on the disk, and since the antivirus software is not being installed the malware is ineffective at thwarting installation.
Unfortunately, there are disadvantages to performing a pre-scan. For one, the virus pattern used by the prescan module may not be up to date; if the pattern does not cover the latest malware present on the computer the malware will not be detected. A prescan cannot perform heuristic-based detection because no heuristic or behavior monitor has been installed. Also, no anti-root kit module has been installed so no detection of a possible rootkit can be performed. Additionally, in order to speed up the process, typically only critical areas of the disk or the operating system are checked during a prescan; this may mean that some malware is missed. Accordingly, a technique is desired that would improve the effectiveness of a prescan in order to better detect malware before antivirus software is installed.